René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Found Heap-use-after-free errors and SEGV in Python","articleBody":"# Your environment\r\n\r\n- CPython versions tested on: 3.12.0 alpha 7\r\n- Operating system and architecture: ubuntu20.04.1,x86_64\r\n- Compiler flags: clang with ASAN and UBSAN instrument\r\n\r\n# Bug description\r\nThe AddressSanitizer (ASAN) tool has detected multiple heap-use-after-free errors and a segmentation fault (SEGV) in the Python interpreter. The heap-use-after-free errors occurred in the ascii_decode and unicode_decode_utf8 functions in the unicodeobject.c file, and the SEGV occurred in the tok_backup function in the tokenizer.c file. Additionally, a memory leak was detected in the pystate.c file.\r\n\r\n# Steps to reproduce\r\n\r\n1. Compile Python with ASAN enabled: `./configure  \u0026\u0026 make`\r\n1. Run Python with ASAN enabled: `./python \u003c poc_file`\r\n1. The heap-use-after-free errors and SEGV should be detected and logged by ASAN.\r\n\r\n# Expected behavior\r\n\r\nNo heap-use-after-free errors or SEGV should occur.\r\n\r\n# Actual behavior\r\n\r\nASAN detected multiple heap-use-after-free errors and a SEGV, as well as a memory leak.\r\n\r\n# Relevant logs and/or screenshots\r\n\r\nThe ASAN summary output is as follows:\r\n\r\n```\r\nAddressSanitizer: heap-use-after-free /src/cpython/Objects/unicodeobject.c:4474:28 in ascii_decode\r\nAddressSanitizer: heap-use-after-free /src/cpython/Objects/unicodeobject.c:4506:28 in ascii_decode\r\nAddressSanitizer: heap-use-after-free /src/cpython/Objects/unicodeobject.c:4483:32 in ascii_decode\r\nAddressSanitizer: SEGV /src/cpython/Parser/tokenizer.c:1234:33 in tok_backup\r\nAddressSanitizer: heap-use-after-free /src/cpython/Objects/unicodeobject.c:4526:37 in unicode_decode_utf8\r\nAddressSanitizer: 3824 byte(s) leaked in 4 allocation(s).\r\nAddressSanitizer: heap-use-after-free /src/cpython/Python/pystate.c:229:23 in bind_tstate\r\nThe full ASAN log can be found in the asan.log file.\r\n```\r\n[asan.log](https://github.com/python/cpython/files/11316179/asan.log)\r\n[python_bug_poc.zip](https://github.com/python/cpython/files/11316193/python_bug_poc.zip)\r\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-103993\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/JohenanLi","@type":"Person","name":"JohenanLi"},"datePublished":"2023-04-25T03:35:53.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":9},"url":"https://github.com/103824/cpython/issues/103824"}